Current port usage

SamB · May 2020

I currently have my LAN to WAN rule with ports and services set to Any. I'd like to limit that but I don't want to interrupt legitimate traffic out. Can you direct me to a guide or tell me how I figure which ports and services we're currently using?

mabdeljawad · May 2020

Hi SAMB

You need to monitor the used ports in the connections log, and start listing the used ports numbers and create an entry for these ports/services if they are not already exist in the ports/services default list.

What I suggest is to create a new policy and place it above this "Any/Any" policy so it will be processed traffic first, and start adding the collected list of ports/services into this policy, and keep monitoring the used ports "in the connection logs" for both policies, until you reach to a point in which the "Any/Any" policy doesn't have traffic logs (later you can delete this policy)

But you need to make sure the traffic generated in this period is legitimate traffic so you only add the required ports.

Regards

Mahmoud

Nevyaditha · May 2020

Hi@SamB,

For identifying the ports that are being used by certain specific applications and are not the well-known ports, you can setup packet capture on sonicwall and add them to the list of the allowed services.

https://www.sonicwall.com/support/knowledge-base/running-a-packet-capture-for-tcp-and-or-udp-traffic/170505277474380/

Hope this information helps you to identify the well known ports.

Regards,

Nevyaditha P

shiprasahu93 · May 2020

Hi @SamB ,

I agree with Mahmoud. You can start with the well known traffic like DNS(UDP 53), web traffic - HTTP(TCP 80) and HTTPS(TCP 443), Email traffic - SMTP(TCP 25), IMAP(TCP 143 and secure one uses 993), POP3(TCP 110 and secure one uses 995) and SMTPS(TCP 465 and 587). These are usually essential for all networks. Then you can start monitoring traffic and add the rest of the services.

If some applications are absolutely essential, their websites usually lists a number of ports that are crucial for them to function.

I hope that helps!

Thanks,

Shipra Sahu

Saravanan · May 2020

Hi @SamB,

For the scenario of tracing the TCP / UDP ports used by local devices / computers in your network, packet monitor feature in the SonicWall can provide greater help. Please follow below instructions to set the packet monitor on the SonicWall.

Navigate to INVESTIGATE | Packet Monitor.
Click on "Monitor Default" to clear out any previous capture parameters.
Click on "Configure"
In Settings Tab, disable all the check boxes.
Navigate to the "Monitor Filter" tab and specify the only fields as shown below,

Ether type: IP
IP type: TCP, UDP
Source IP: Specify the IP address of the local network PC or Laptop from where we'll try to pass some traffic.
Enable the checkbox “Enable Bidirectional address and port matching" and other check boxes should be left unchecked.

Navigate to "Display Filter" Tab, ensure all fields are empty and enable all check boxes.
Navigate to the "Advanced Monitor Filter" tab and enable all check boxes.
Click "OK" to save the parameters.
Click "Start Capture".
Click OK, and Start Capture.
Please click on Refresh option in the packet monitor page to see the traffic.
Once the necessary packets are captured, click on "Stop Capture".

You get options to export the captured packets in formats such as pcapng, libpcap, html and text.

Please post here for any further questions or clarifications.

Micah · May 2020

Hey @SamB! Hope you are well. Did any of the above responses help you with your query? Let us know!

SamB · May 2020

Hi,

I followed Mahmoud's instructions but I'm still getting some traffic hitting the Any/Any policy. Is there a way on the packet monitor to filter it down by the priority 10 access rule so I can see what I'm missing? I've only found that I can see there's usage based on the traffic statistics in the Firewall - Access Rules page.

Thanks!

shiprasahu93 · May 2020

Hello @SamB,

Feel free to use this KB below

https://www.sonicwall.com/support/knowledge-base/how-to-capture-traffic-using-access-rules/170505827155075/

You can then capture the packets that are using that specific access rule at priority 10.

I hope that helps!!

Thanks

SamB · May 2020

Hi,

I don't see how that narrows it down to the rule at priority 10. Do I need to go through all 200 of my rules to make sure none of the other ones have that checked?

Thanks!

shiprasahu93 · May 2020

Hello @SamB,

This is a troubleshooting option. It is not enabled by default. You can enable it on the rule for which you would like to perform the packet capture.

So, please enable that check box on the Any, Any, Any rule and you can monitor which traffic is going through that specific generic rule.

Thanks!

MasterRoshi · May 2020

@SamB Enable local appflow logging and monitor the connections. See below.

MasterRoshi · May 2020

If you need more detailed drill down capabilities and long term retention -- talk to your account manager about CSC analytics or On-prem Analytics.

SamB · May 2020

I think I have this figured out. It took a couple of your comments. First I used the connection manager as MABDELJAWAD suggested. That was pretty easy to look through. Then I created the rule above the Any-Any rule with those ports and, as NEVYADITHA suggested, turned on packet monitor on the Any-Any to see what was getting through. It was a lot. So then I had to look through that every so often to see what else needed to be added. I'm still doing that now.

Nevyaditha · May 2020

Thank you for the update @SamB !!

Join the Conversation

Current port usage

Best Answers

Answers